Hi, Srirama, Thank you very much for your comments, please see reply in line. > Hi Jason, > > Please see reply in line. > > Jason Zhao said the following on Tuesday 12 May 2009 09:23 AM: >> Hi, Experts, >> >> After ARC review, per ARC committee's comments, >> the snort source code needs to be modified. >> >> In the summary, the change includes: >> 1. Remove all the 64-bit delivery, because from >> the message of snort community, 64-bit is only >> optional, its function is same with 32-bit and >> will be same. To deliver 64-bit binaries may >> bring risk to Solaris per ARC committee's idea. >> So I remove the building 64-bit source code. >> >> 2. Add SMF, since snort can be run as a daemon. It >> is necessary to add it into SMF service per ARC's >> idea. So I add snort.xml as SMF manifest and snortd >> as executable script. >> >> 3. Add RBAC changes, since snort relates to security, >> ARC suggest to give user of snort on Solaris limited >> privileges. The privileges include SMF privilege and >> the privilege of running snort. Here bring an issue, >> I am not sure how to change the RBAC files. Could anybody >> has experience to tell me(wireshark, tcpdump...)? >> >> In my understanding, I think for sfwnv-gate, I could do >> the RBAC work by modifying usr/src/common/rbac/*. In >> this way, I modified the "auth_attr" and "exec_attr" by >> adding the "snort" item. >> >> Could anyone tell me if it is the correct process? Thanks! >> > Yes. In sfw-gate, the files under usr/src/common/rbac dir have to be > modified to to add any new RBAC entries. Thank you for that information!
And it is lucky I did the right work. > >> Here is the webrev: >> http://cr.opensolaris.org/~jxzhao/snort/ >> >> >> Please review it and tell me your comments. >> > > The webrev looks mainly good to me. > > Please find below few comments: > > 1. The METADATA file needs to conform to the new guidelines set by > Norm. Please refer below link for more info. > http://wikis.sun.com/display/SFWNotes/METADATA Thank you. Done. > > 2. In install-sfw, snort.xml itself is getting installed as snortd. I > guess you intended to install snortd SMF service method file at line 41. > 40 _install N snort.xml ${ROOT}/var/svc/manifest/network/snort.xml 444 > 41 _install N *snort.xml* ${ROOT}/lib/svc/method/snortd 555 Thank you. I've modified that. > > 3. In snort.xml, in 'start' exec_method do you require method_context > to define user & group as noaccess and set basic privilege set ? > AFAIK, the privs specified in the authorizations you have added > into RBAC files should just be enough. Please check. Since the snort SMF user and group is "noaccess:noaccess", and I think the user doesn't have privilege to write SMF. So it needs "basic" privilege. In my test, If the user is "root", the basic privilege isn't necessary. However as for "noaccess" user, "basic" privilege is requiring. As following: 1. Run snort SMF service *without* "basic" privilege. [root at beigai:/var/run]# svccfg import /var/svc/manifest/network/snort.xml [root at beigai:/var/run]# svcadm disable snort [root at beigai:/var/run]# svcadm enable snort [root at beigai:/var/run]# svcs -a | grep snort maintenance 10:49:57 svc:/network/snort:default 2. Run snort SMF service *with* "basic" privilege. [root at beigai:/var/run]# svccfg import /var/svc/manifest/network/snort.xml [root at beigai:/var/run]# svcadm disable snort [root at beigai:/var/run]# svcadm enable snort [root at beigai:/var/run]# svcs -a | grep snort online 10:49:13 svc:/network/snort:default > > 4. In SUNWsnortr/prototype_com, entry for auth_attr file is missing. > please add the same. Thank you! Done. > > 5. In SUNWsnortr/pkginfo.tmpl, please add the version info at the end > of DESC field (as specified in SUNWsnortu/pkginfo.tmpl) Done. Please review the 2nd version, thank you! http://cr.opensolaris.org/~jxzhao/snort/ Thanks Jason
